Gateway | Social IdP Integration

Initial Social Provider API integrations

This section contains instructions for setting the initial API key and secret to allow authentication to a Service Provider from one of the social login providers supported by the Cirrus Gateway.

Before starting, the Org or SP Admin will need a developer account for each social provider to be integrated. The detailed instructions for integrating each Social Provider are presented in the Cirrus Console along side where the API key and secret must be entered. For each enabled social provider, the following general steps will be required:

  1. Navigate to the Social Provider developer console from the link provided in the Cirrus Console and define an application

  2. If needed, perform steps to set permissions to access data from the Social Provider

  3. If needed, perform necessary steps to establish your brand for the Social Provider integration including uploading a logo, and providing a link to terms-of-service or privacy policy

  4. Create an API key value with the associated API secret, and copy those to the Cirrus Console

  5. Set the redirect URI provided in the Cirrus Console for your new Social Provider integration

  6. Set how eduPersonPrincipalName (ePPN) should be configured — for most integration patterns having it set to “Unique ID Scoped to…” is a good starting point

  7. If the Social Provider is Facebook, LinkedIn, or Twitter; setting if the email attribute should be requested

The following is a screenshot of the Cirrus Console API setup for Google (sensitive data has been redacted).

google_api_integration_redacted.png

Adding additional Service Providers with same Social Provider API integrations

This section contains instructions for settings in the Cirrus Identity console that allow sharing an API key and secret with multiple Service Providers. 

You may decide to use the same Social Identity Provider integration across multiple Service Providers for several reasons:

  • For a single service, you may have different dev, test, and production instances where you want to share the same API key and secret.

  • You may wish to have the same unique identifier for all users - Both Facebook and LinkedIn generate a unique identifier which are tied to a particular API integration, similar to an eduPersonTargetedID.

  • Administratively, you may want to centralize the number of developer accounts used to manage API keys and secrets, in doing so you may have a consolidated number of key-secret pairs.

Regardless on the strategy, after setting an initial API key and secret for each Social Provider, you can share the key-secret pair across multiple Service Providers. You only need to add a new authorized redirect URI for each Service Provider to the social providers API settings. 

To add a new Service Provider using the same API Key and Secret:

  1. Log into the Cirrus Identity console and navigate under the MySPs tab to the Service Provider that has the existing API Key and Secret. Be sure you know the credentials for the user account at the Social Provider that was used with the initial API integration. 

  2. Copy and paste the API Key and Secret from the existing Service Provider to the configuration page for the new Service Provider.

  3. While still at the top of the API Setup Guide, open the Social Provider’s developer console in a new window from the link provided.

google_api_copy_key_secret.png

4. In the API Setup Guide of the NEW Service Provider, scroll down until you find the Authorized redirect URI — this should be added to the authorized redirect URIs associated with the API key in the Social Provider’s console (see the .

google_api_redirect_uri.png

Adding Authorized Redirect URIs to social provider developer consoles

This section outlines the adding of additional Authorized redirect URIs in the different Social Provider developer consoles. See the section “Adding additional Service Providers with same Social Provider API integrations” for details on copying the API key-secret pairs between different service providers.

If you are sharing an API key-secret pair with more than one Service Provider, you will need to add an Authorized redirect URI for each Service Provider that shares the same API key-secret pair.

Facebook

Once logged in to the Facebook developers console:

Choose the application that is already integrated (the one with the matching API Key).

On the dashboard, choose "Facebook Login | Settings" from the left navigation bar

Add the Authorized redirect URI you copied from the Cirrus console to the list of Valid OAuth Redirect URIs and click Save

fb_redirect_uri.png

Google

Once in the Google console, select the project appropriate for your integration

Choose the "APIs & services | Credentials from the left navigation bar"

Click on the name of the defined OAuth 2.0 client IDs

Add the Authorized redirect URI you copied from the Cirrus console to the list of Authorized redirect URIs for the credential and click Save

google_redirect_uri.png

LinkedIn

Log in to the developer's console

Choose the application that is already integrated (the one that matches the API Key)

Go to the Auth panel and edit the OAuth 2.0 settings

Add the Authorized redirect URI you copied from the Cirrus console to the list of Redirect URIs for the credential and click Update

linkedin_redirect_uri.png

Twitter

Log in to the developer's console

Choose the application that is already integrated (the one that matches the API Key)

On the App details panel, click the “Edit” button to modify the list of Callback URLs

Add the Authorized redirect URI you copied from the Cirrus console to the list of Callback URLs for the application and click Save

twitter_redirect_uri.png

Weibo

Log in to Open Weibo site

Select the application under My Applications

Under the Application menu select Advanced

Click edit in the OAuth2.0 authorization settings and enter the link as the Authorization callback page

Redirect URLs 6.png

Microsoft

Log in to the developer's console

Choose the application that is already integrated (the one that matches the API Key)

Add the Authorized redirect URI you copied from the Cirrus console to the list of Redirect URLs under Platforms and click Save at the bottom of the page

microsoft_redirect_uri.png

Managing Social Provider Integrations

Your organization will need to set up the API integrations with each social identity provider. Because people and organization units come and go, you may want to consider the following options when deciding how to set up your API integrations:

  1. Google, Facebook, and LinkedIn allow you to add more than one administrator for an application integration with their identities. 

  2. Twitter, Weibo, and Microsoft allow only one account to administer the API integration

  3. Yahoo in an OpenID v2 provider and you don't need to set an API Key and Secret

Record the account name used to set up API integrations in the Cirrus Console

Document the accounts you use to set up integrations you integrations on the main setup page for your API Integrations:

Gateway - Record Account Used for Integration.png

We highly recommend you establish multiple administrators. Below are instructions for setting more than one admin for Google. 

Remember that you can access the social provider API consoles by going to the Cirrus Console, choosing the social provider from the icons on the left, and then clicking the link on the right in the API integration instructions window.

Google

  • Log in to developers console

  • From the Google Cloud Platform Dashboard, select the menu button in the far left

  • From the menu, choose "APIs & Services | IAM"

  • Then choose "Add"

  • Add another member with role of “Owner” and click “Save”

google_muliple_user_a.png
google_muliple_user_b.png
google_muliple_user_c.png

Facebook

  • Log in to the Facebook developers console

  • From the Facebook developers console, select the application for which you're adding admins

  • From the menu in the left nav bar, choose "Roles" 

  • Then choose "Add Administrators"

fb_multi_dev.png

LinkedIn

  • Log in to the LinkedIn developers console

  • From the LinkedIn developers console dashboard, select the application for which you're adding admins

  • Select the “Team members” panel 

  • Click the “Add team member” option to add additional admins (you will need to have a first level LinkedIn connection to the admins you add)

linkedin_multi_dev.png